2016年10月26日星期三

HKCTC & HKAS Workshop on ISO 27001 ISMS Certification 2016

The Hong Kong Council for Testing
and Certification (HKCTC), Hong Kong Accreditation Service (HKAS) and The Hong
Kong General Chamber of Small and Medium Business co-organized a Workshop
entitled “Workshop on ISO/IEC 27001 Information Security Management System
Certification 2016” on 26 Oct 2016. Certification
of ISMS to ISO/IEC 27001 allows an organization to demonstrate that its
information asset is adequately protected against information security risk. The
workshop aimed to give an overview of ISO/IEC 27001 and discussed how to get
prepared for the certification process. Hong Kong Society for Quality (HKSQ) and Hong
Kong Science and Technology Parks Corporation (HKSTP) are supporting organization. Ms. Angela Wong (Vice-chairman, HKSQ) and I attended
the workshop and took a photo for memory.

In the beginning, Mr. Kesson Lee
(Secretary-General, HKCTC) give an opening remarks and he said ISO 27001 was
increasing concern to avoid business potential loss and ICT was one of areas in
Testing & Certification Industry to be focused.

And then Dr. YAU Bun, Oliver (Vice
President, The Hong Kong General Chamber of Small and Medium Business) gave a
welcoming remark.

Then Mr. Ronald Pong introduced
ISO 27005:2011 risk management. He said
Risk included Vulnerability and Threat (Environment Factors). And he discussed the Scope and Objective.
Since resource was limited, he suggested to focus on the key business process
(major process and sub-process).
Objectives were based on Confidentiality, Integrity and Availability
(CIA).

ISO 27004 was used for risk
calculation (measurement) to evaluation the safeguard effectiveness. He also told us to check the inventory first
in which was consisted by fix part and dynamic part. Such as Network Diagram + Data Flow Diagram.

Finally, Mr. Ronald Pong briefed the
development of the Threat Model based on PDCA cycle. He also discussed impact criteria based on
ISO 27005 that Vulnerability Scanning (for individual system) and Penetration
Testing (for End to End Business Process) used scenario. For DR and BCP, he advised to consider
Operation Level Agreement (OLA) and Service Level Agreement (SLA). For security incident, he used ISO 27037 to
keep evidences for evaluation. At the
end, he said the awareness training was important but it should use Role-based
Approach (e.g. Management, General User and Technical User).

The second speaker was Mr. Norman
PAN (Managing Consultant, Doctor A Security Systems (HK) Ltd.) and his topic named
“Getting Certified ISO/IEC 27001 – Experience Sharing”. Mr. Pan introduced his company first. They had certified ISO 27001 since 2003 (at
that time named BS 7799). He said ISO 27001 included Risk Evaluation plus
Management System.

Mr. Norman Pan then shared the
case about Firewall & Antivirus against Ransomware. He said the antivirus was not able to screen
the ransomware (0% detection) and the URL scan was only 5% success rate! He suggested two preventive actions that
were:

i)Network Separation (e.g. separated File Server and Email Server)

ii)Remove all Flash Player in your computers.

After that Mr. Pan shared about Risk
Management but he said we needed to understand ISO 27001 management system
clause first and then using annex objectives for risk evaluation. If without risk evaluation, we were not able
to complete the Statement of Applicability (SOA). Finally, he summarized that certified ISO
27001 could be differentiated in the market and got customer confidence. He also said that top management support
could be found if the information security item appeared in the budget.

Mr. Leung Chi-chiu (Accreditation
Officer, HKAS) was the last speaker and his topic named “Hong Kong
Accreditation Service (HKAS) – How its Services Help You”. Mr. Leung introduced that Accreditation which
was issuance of conformance statement by a third party (i.e. accreditation
body) to a conformity assessment body (i.e. laboratory, inspection body or
certification body, validation and verification body) and conveying formal
demonstration of its competence to carry our specific conformity assessment
tasks (ISO/IEC 17024).

He used the diagram to explain
the relationship among Industry, Certification Body and Accreditation Body. HKAS is followed the ISO/IEC 17021-1 and
ISO/IEC 27006 for certification body accreditation.

The summary of MRA/MLA partners was
showed. Finally, Mr. Leung briefed the
benefits of HKAS accreditation included formal recognition of CB competences to
enhance reputation and to deliver confidence to their clients.

沒有留言:

LinkWithin

關於我

作者筆名劍如虹，畢業於香港城市大學及香港理工大學，學術範圍包括應用科學，應用物理，電腦，化學及環境工程等，以業餘時間攻讀完工程管理博士學位。由於喜歡武俠故事式電腦遊戲，才引發奇想，把品質管理理論用武俠小說方式表達。作者現任職品質經理，曾多次於專業學會主辦的國際會議和學術期刊發表論文及研究報告。
Dr. Lotto Lai has 20 year hands-on experience in scientific research, quality assurance and management in Commercial Laboratory, University Testing Centre, Certification Body and Consultants Firm.
He is Former Chairman & Fellow in HKSQ, MHKIE, FASQ, CMQOE and IRCA QMS Lead Auditor, as well as, Asso. Academician in IAQ.